User Tools

Site Tools


doc:howto:netfilter

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
doc:howto:netfilter [2013/10/22 12:18]
lorema +nftables, will come with Linux kernel 3.13
doc:howto:netfilter [2014/08/23 09:29] (current)
hamy tcpmms to tcpmss
Line 1: Line 1:
-====== Netfilter ====== +====== Netfilter/​Nftables ​====== 
-[[http://​www.netfilter.org/​|Netfilter]] is the packet filtering framework inside the [[wp>​Linux kernel]]. It allows for packet filtering, network address [and port] translation (NA[P]T) and other packet manipulations. It is far more than a simple firewall and very powerful!+[[http://​www.netfilter.org/​|Netfilter]] is the packet filtering framework inside the [[wp>​Linux kernel]]. It allows for packet filtering, network address [and port] translation (NA[P]T) and other packet manipulations. It is far more than a simple firewall and very powerful! ​For Nftables, see [[#​Nftables]] further down this wikipage.
  
 Usually the user space programs <color red>​**''​iptables''​**</​color>,​ <color red>​**''​ip6tables''​**</​color>,​ <color red>​**''​ebtables''​**</​color>​ or <color red>​**''​arptables''​**</​color>​ are utilized to //​configure//​ the handling of network packets. Please see this scheme **[[http://​upload.wikimedia.org/​wikipedia/​commons/​d/​dd/​Netfilter-components.svg|Netfilter Components]]** by Jan Engelhardt about some overview over current and future netfilter components. Usually the user space programs <color red>​**''​iptables''​**</​color>,​ <color red>​**''​ip6tables''​**</​color>,​ <color red>​**''​ebtables''​**</​color>​ or <color red>​**''​arptables''​**</​color>​ are utilized to //​configure//​ the handling of network packets. Please see this scheme **[[http://​upload.wikimedia.org/​wikipedia/​commons/​d/​dd/​Netfilter-components.svg|Netfilter Components]]** by Jan Engelhardt about some overview over current and future netfilter components.
Line 79: Line 79:
 ===== Examples ===== ===== Examples =====
 You find some example shell scripts below: You find some example shell scripts below:
- 
   * [[doc:​howto:​netfilter:​netfilter.iptables.example1]] very simple script for setting up NAT (IPv4 only, IPv6 has no NAT)   * [[doc:​howto:​netfilter:​netfilter.iptables.example1]] very simple script for setting up NAT (IPv4 only, IPv6 has no NAT)
   * [[doc:​howto:​netfilter:​netfilter.iptables.example2]] simple script with filters (such an implementation is usually called a //​firewall//​)   * [[doc:​howto:​netfilter:​netfilter.iptables.example2]] simple script with filters (such an implementation is usually called a //​firewall//​)
Line 130: Line 129:
  
 ===== nftables ===== ===== nftables =====
-''​nftables'' ​ is the successor ​of all of the above programs ​and one will replace themToday it is in Alpha-Status: [[wp>nftables]]+[[wp>​nftables]] is the successor of netfilter. Its user space utility **''​nft''​** replaces the entire ''​{ip,​eb,​arp,​ip6}tables''​ user space tool set. It still uses the netfilter architecture for complex extensions and is part of the netfilter project. 
 +The command-line user space utility is called **''​nft''​** and there is an API and library interface to it (''​libnftables''​). There is also an iptables to nft handle userspace conversion tool which will ease migration. 
 +nftables is a major departure in that there is no need for deep protocol awareness in the kernel modules as everything filter related is handled by a basic virtual machine. 
 +  * [[http://​netfilter.org/​projects/​nftables/​|nftables homepage]] + [[http://​article.gmane.org/​gmane.comp.security.firewalls.netfilter.devel/​44685|Announcement]] 
 +  * [[https://​home.regit.org/​netfilter-en/​nftables-quick-howto/​|Nftables quick howto]] 
 +    * The user space utility is called **''​nft''​**,​ its input resembles slightly that of **''​[[/​doc/​howto/​packet.scheduler/​packet.scheduler|tc]]''​** 
 +  * https://​dev.openwrt.org/​ticket/​14415 
 + 
 +The OpenWrt developers are aware of the nftables developments, ​and will migrate as soon as OpenWrt adopts a 3.13 kernel. Linux kernel version 3.13 was released 2014-01-20, [[http://​lkml.indiana.edu/​hypermail/​linux/​kernel/​1311.0/​00914.html|Linux 3.12 released .. and no merge window yet .. and 4.0 plans?]]. 
 + 
 +  * Anybody who wants to help in development,​ shall feel free to send patches: 
 +    * for the OpenWrt operating system, see https://​dev.openwrt.org/​wiki/​SubmittingPatches 
 +    * for the [[:​doc:​uci|UCI]] wrapper C-language firewall, see http://​nbd.name/​gitweb.cgi?​p=firewall3.git;​a=summary 
 +  * The proper place for technical discussion on nftables migration is the the OpenWrt development mailing list: https://​lists.openwrt.org/​cgi-bin/​mailman/​listinfo/​openwrt-devel 
 +  * The proper place for general discussions/​ideas is the OpenWrt Forum: https://​forum.openwrt.org/​ 
 +  * The proper place for documentation is either **this wiki page** or **[[doc/howto/nftables]]**. 
 +    * The proper place for documentation of the C-language wrapper firewall is [[doc:​uci:​firewall]]. 
  
 ==== Modules for match/​TARGET ==== ==== Modules for match/​TARGET ====
Line 148: Line 164:
 | iptables-mod-hashlimit ​       |   ​| ​  5554 | iptables extensions for hashlimit matching Includes: - libipt_hashlimit ​ | | iptables-mod-hashlimit ​       |   ​| ​  5554 | iptables extensions for hashlimit matching Includes: - libipt_hashlimit ​ |
 | iptables-mod-imq ​             |   ​| ​  2220 | iptables extension for IMQ support. Includes: - libipt_IMQ, use it's successor => ''​[[http://​www.linuxfoundation.org/​collaborate/​workgroups/​networking/​ifb|kmod-ifb]]''​ | | iptables-mod-imq ​             |   ​| ​  2220 | iptables extension for IMQ support. Includes: - libipt_IMQ, use it's successor => ''​[[http://​www.linuxfoundation.org/​collaborate/​workgroups/​networking/​ifb|kmod-ifb]]''​ |
-| iptables-mod-ipopt ​           |   ​| ​ 22438 | iptables extensions for matching/​changing IP packet options. Includes: - libipt_CLASSIFY - libipt_dscp/​DSCP - libipt_ecn/​ECN - libipt_length - libipt_mac - libipt_mark/​MARK - libipt_statistic - libipt_tcpmms ​- libipt_tos/​TOS - libipt_ttl/​TTL - libipt_unclean ​ |+| iptables-mod-ipopt ​           |   ​| ​ 22438 | iptables extensions for matching/​changing IP packet options. Includes: - libipt_CLASSIFY - libipt_dscp/​DSCP - libipt_ecn/​ECN - libipt_length - libipt_mac - libipt_mark/​MARK - libipt_statistic - libipt_tcpmss ​- libipt_tos/​TOS - libipt_ttl/​TTL - libipt_unclean ​ |
 | iptables-mod-ipp2p ​           |   ​| ​  3315 | IPP2P iptables extension ​ | | iptables-mod-ipp2p ​           |   ​| ​  3315 | IPP2P iptables extension ​ |
 | iptables-mod-iprange ​         |   ​| ​  3627 | iptables extensions for matching ip ranges. Includes: - libipt_iprange ​ | | iptables-mod-iprange ​         |   ​| ​  3627 | iptables extensions for matching ip ranges. Includes: - libipt_iprange ​ |
Line 202: Line 218:
   * [[http://​www.linuxhomenetworking.com/​wiki/​index.php/​Quick_HOWTO_:​_Ch14_:​_Linux_Firewalls_Using_iptables#​Figure_14-1_Iptables_Packet_Flow_Diagram|LHN Fig.14]]   * [[http://​www.linuxhomenetworking.com/​wiki/​index.php/​Quick_HOWTO_:​_Ch14_:​_Linux_Firewalls_Using_iptables#​Figure_14-1_Iptables_Packet_Flow_Diagram|LHN Fig.14]]
   * [[http://​www.rigacci.org/​wiki/​lib/​exe/​fetch.php/​doc/​appunti/​linux/​sa/​iptables/​conntrack.html|on conntrack]]   * [[http://​www.rigacci.org/​wiki/​lib/​exe/​fetch.php/​doc/​appunti/​linux/​sa/​iptables/​conntrack.html|on conntrack]]
 +  * [[http://​ipset.netfilter.org/​iptables-extensions.man.html|List of available extensions to netfilter/​iptables]]
doc/howto/netfilter.1382437088.txt.bz2 · Last modified: 2013/10/22 12:18 by lorema